Principles of Defensive Strategy
Computer or telecommunications systems that contain sensitive information, or whose functioning is critical, must be protected at high levels of security. Several policies should be mandatory:
Use of encryption for communication between system elements and use of cryptographic protocols. These practices help to ensure data integrity between major processing elements (e.g., host to host, site to site, element to element); prevent intrusion into the network between nodes (e.g., making “man-in-the-middle” attacks much more difficult); and provide strong authentication (e.g., through the use of public-key-based authentication systems that use encryption and random challenge to strengthen the authentication process or to bind other elements of the authentication such as biometrics to the identity of a user).
Minimal exposure to the Internet, which is inherently insecure. Firewalls are a minimal level of protection, but they are often bypassed for convenience. (Balancing ease of use and security is an important research area discussed elsewhere in this chapter.) Truly vital systems may require an “air gap” that separates them from public networks. Likewise, communication links that must remain secure and available should use a private network. (From a security perspective, an alternative to a private network may be the use of a connection on a public network that is appropriately secured through encryption. However, depending on the precise characteristics of the private network in question, it may—or may not—provide higher availability.)
Strong authentication technology for authenticating users. Security tokens based on encryption (such as smart cards) are available for this purpose, and all entrants from a public data network (such as a network-access provider or insecure dial-in) should use them. Furthermore, for highly critical systems, physical security must also be assured.
Robust configuration control to ensure that only approved software can run on the system and that all the security-relevant knobs and switches are correctly set.
Such measures are likely to affect ease of use and convenience, as well as cost. These are prices that must be paid, however, because hardening critical systems will greatly reduce vulnerability to a cyberattack.
might initially appear. Intruders are often indistinguishable from valid users and frequently take great care to hide their entry and make their behavior look innocuous. Detecting a denial-of-service attack is equally challenging. For example, consider an attack that is launched against the major Internet news services to coincide with a physical bomb attack. It would be nearly impossible to distinguish legitimate users, who would simply be looking for information, from attackers inundating the Web site to try to prevent access to that information, possibly increasing panic and misinformation.